From cyberpropaganda to IoT bonets: Strap yourself in for a rocky 2017

It’s that time of the year again: when the great and good of the cybersecurity industry reach for their crystal balls to anticipate what the threat landscape might look like in the next 12 months. We all know cybercriminals by and large don’t operate to annual deadlines.

But December still represents a good opportunity for us to point out what might be coming down the road. It’s what Trend Micro’s 1,200-strong global threat research team does all year round to ensure we’re prepared for anything the black hats can throw at us. The good news for the UK’s CISOs is that much of what we’ll see is a steady evolution from threats that will already be familiar to many. The bad news: that won’t make them any less dangerous.

Ransomware jumps 25 per cent

If you had to choose any theme to sum up 2016 it would probably be online extortion. Ransomware has become the favourite way for cybercriminals to make a fast buck. And after some malicious code went public earlier in the year, the number of new ransomware families we discovered between January and September rocketed a massive 400 per cent.

This growth will slow in 2017 to around 25 per cent, but as competition between the black hats intensifies we’re increasingly likely to see online extortion used as a component of data breaches, in a bid to maximise profits. Industrial systems as well as non-desktop environments such as ATMs and POS could be in the crosshairs if the bad guys think they’ll be able to make more money out of these attacks. They might well be right.

Industrial systems under fire

It’s not just ransomware that IT managers in industrial facilities have to worry about in 2017. We could also see an uptick in targeted attacks like the BlackEnergy campaign. During that blitz last December, possibly state-sponsored operatives successfully took Ukrainian power stations offline, cutting heat for tens of thousands in the middle of winter. SCADA bugs comprised 30 per cent of the total number of vulnerabilities found by our TippingPoint business in 2016. Organisations must therefore patch promptly when updates become available, and fortify systems with things like virtual patching and intrusion prevention tools.

The risk to those operating in the energy, manufacturing and similar sectors will only multiply as the Internet of Things finds its way into more and more industrial environments. IoT might drive increased efficiencies, but it also introduces new risk.

Mirai just the start

Over the past couple of months a new and disturbing trend has begun to permeate the threat landscape: IoT-powered botnets. They’re not particularly new. But the public disclosure of the Mirai malware, which automatically scans the internet for smart devices only protected by factory/default log-ins, has elevated them to a major threat.

Mirai is responsible for what are thought to be the biggest DDoS attacks ever recorded – against the Krebs on Security site and French hoster OVH. As more and more consumer-grade smart devices find their way into homes and businesses, the threat will only grow. Especially if manufacturers continue to prioritise time-to-market over security.

Service-oriented, news, corporate, and political sites are particularly at risk of being DDoS-ed in this way – either by hacktivists, politically motivated operatives or those looking to extort money from their victims.

From BEC to BPC

Business Email Compromise (BEC) was another big one for 2016. These scam emails are spoofed to come from the CEO and designed to trick a member of the finance or accounts payable team to transfer funds to a bank account owned by the cybercriminal. They’re particularly hard to block for some security filters as they contain no malware – it’s all about social engineering. But with the average pay-out for BEC $140,000, versus just $722 for ransomware, you can be sure to see a lot more of these attacks in 2017.

Not only that, but some cybercrimnals with their eyes on an even bigger prize are set to extend their capabilities with what we’re calling Business Process Compromise (BPC) attacks. Targeting mainly the financial sector, these require the attackers to hack directly into purchase order or payment deliver systems to intercept and modify transactions.

The end goal is the same as BEC. But BPC is different in requiring a detailed understanding of the target organisation’s internal processes and systems, and often the modification and deletion of certain entries to ensure the attack goes unnoticed.

Cyberpropaganda

Away from traditional threats, 2017 will see the continued rise of something potentially more damaging to global stability – what we’re calling cyberpropaganda. As Brexit and the US elections have shown us, fake news is becoming a disturbing trend. We’ve noticed certain individuals even boasting on the cybercrime underground that they can make $20 per month by driving traffic to sites filled with fabricated content designed to smear political candidates.

No doubt, nation states are also sponsoring similar activity, frequently using social media sites like Facebook and LinkedIn to publicise propaganda. The problem comes down to a lack of vetting from the major social platforms, coupled with netizens’ credulity. Let’s hope Facebook and Google’s move to pull advertising from sites bearing fake news, will have some effect going forward.

Attacks get smarter

Targeted attack campaigns are nothing new – they’ve been with us for almost a decade. But they are constantly evolving, and 2017 will be no different. We can expect the use of sandbox detection and virtual machine (VM) escapes in an attempt to evade detection by advanced security filters.

The black hats may even try to target or inundate sandboxes themselves in a bid to overcome defences.

This will put increasing pressure on the UK’s security professionals to find the right blend of tools for the job. The answer is cross-generational, multi-layered technology comprising everything from app whitelisting, gateway protection, web reputation, vulnerability shielding and intrusion prevention to sandboxing and behaviour/integrity monitoring.

And when even these techniques fail to stop an attack, high-fidelity machine learning can filter out the most sophisticated of threats. It’s certainly going to be a challenging year ahead. Especially with other budgetary pressures such as GDPR compliance to consider. But whoever said information security was easy?